> 18 feb 2015 kl. 20:16 skrev Peter Saint-Andre - &yet <pe...@andyet.net>:
>
>> On 2/18/15 11:53 AM, Pete Resnick wrote:
>>> On 2/18/15 5:07 AM, Leif Johansson wrote:
>>> The idea of making best practice sorta-kinda normative makes me a bit
>>> queasy.
>>
>> Let's not forget that a BCP *is* a community consensus document. It
>> means that the IETF community has decided that we do things a particular
>> way. A BCP *is* normative.
>>
>> I think it's quite reasonable for the document to say, "MUST NOT
>> negotiate SSLv2" because doing otherwise causes harm to implementations
>> and to the net in general. There are no Internet police. If you violate
>> that MUST NOT, you don't go to jail. We're simply saying that they way
>> to do security properly on the Internet is that you MUST NOT use SSLv2.
>>
>> So I don't have a problem with the document saying, "Existing protocols
>> have tradeoffs to make between interoperability and security, so we (the
>> IETF) expect those tradeoffs to be made. New protocols we (the IETF)
>> expect to abide by the requirements and recommendations in this document
>> unless they give some serious justification for not doing so." That's
>> what we mean by a BCP.
>
> Exactly. Yesterday I proposed the following text for the section on
> applicability:
>
> This document does not modify the implementation and deployment
> recommendations (e.g., mandatory-to-implement cipher suites)
> prescribed by existing application protocols that employ TLS or DTLS.
> If the community that uses such an application protocol wishes to
> modernize its usage of TLS or DTLS to be consistent with the best
> practices recommended here, it needs to publish a document that
> explicitly updates the existing application protocol definition (one
> example of such a document is [I-D.ietf-uta-xmpp]).
>
> Designers of new application protocols developed through the Internet
> Standards Process are expected to conform to the best practices
> recommended here, unless they provide documentation of compelling
> reasons that would prevent such conformance (e.g., widespread
> deployment on constrained devices that lack support for the necessary
> algorithms).
>
> Does that meet our needs?
>
wfm
> Peter
>
>
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
